[Nextgrid]

This is also not GDPR compliant, not that anyone actually bothers to enforce the law.

If we respect the GDPR then data sharing for Facebook Login should only happen once the user presses the Facebook login button (as at that point the data sharing becomes essential to provide the functionality).

As far as ad/marketing attribution it should be opt-in as that is not an essential requirement to provide the service (and even less so for paid apps).

In both cases the SDK breaches the GDPR as it calls out every time it's loaded and upon first launch it will "register" itself with Facebook by submitting device information (make/model, carrier name, locale, timezone, etc) and obtain a unique ID which is then used in subsequent requests, providing Facebook with a trail of your whereabouts and usage patterns based on IP addresses you connect from (which they can then correlate with any other information they have).

[yllus]

Re: Ad/marketing attribution, that's not necessary correct. If the data point that gets sent back to Facebook is a GUID type string that matches the GUID that got generated when you first clicked the Facebook ad for the app and doesn't include data about you specifically, I believe that's fine. I don't myself have up-to-date information what data Facebook receives via its SDK but I suspect it is GPDR compliant through such methods.

GPDR specifically allows for anonymized/aggregated data on app usage or marketing feedback: https://gdpr.eu/eu-gdpr-personal-data/

[Nextgrid]

> matches the GUID that got generated when you first clicked the Facebook ad

Knowing Facebook, that GUID would surely be bound to the user, still leaking to Facebook that the user is now using the app.

An ad campaign ID (same for all ads of this format in this campaign) sent to the app developer (which can then aggregate them on their side and send the daily aggregated data to Facebook) would be better.

[hedora]

In the eyes of the law, how is storing and sending the guid later different from storing and sending a cookie?

Edit: the GPDR link specifically says identifier numbers are personal information, and I don’t see a carve out for allowing targeted marketing campaigns to use them to measure/improve targeting performance.

Wrong link, maybe?

[yllus]

Sorry, use of the term GUID confused things - I meant that if an identifier string is generated when you click on the ad, and the purpose is to simply see if that identifier completes the app install and first use - that's not against GPDR. (In my head GUID means "unique identifier string".) Storing the GUID tells you nothing other than some device clicked on an ad and some device did or did not complete the app install.